[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

critical iauth fix (Re: new vulnerability)

To: ircd-users@xxxxxxx
Subject: critical iauth fix (Re: new vulnerability)
From: Christophe Kalt <kalt@xxxxxxxxxxx>
Date: Wed, 2 Jun 1999 15:59:00 -0400
Delivered-to: ircd-users-out@irc.org
Delivered-to: ircd-users@irc.org
In-reply-to: <19990522165858.A317@stealth.net>; from Christophe Kalt on Sat, May 22, 1999 at 04:58:59PM -0400
Mail-followup-to: ircd-users@irc.org
References: <19990522165858.A317@stealth.net>

The patch posted a while back by Michal 'pht' Svoboda is now
also available from ftp.irc.org

While this is not the best way to fix the problem, it works
and has the advantage of not requiring ircd to be restarted
to be put in place.

For completeness, I must add that not running iauth is the
only correct workaround (unlike stated in my previous post),
and that all 2.10.x versions appear to be vulnerable.

Cheers,
Christophe

On May 22, Christophe Kalt wrote:
| Hi,
| 
| a new problem was found in the IRC server which potentially
| affects all existing versions which are configured to use
| iauth.  Exploiting this problem allow a user to generate
| network splits.
| 
| Fortunately, there is a quick fix which consists of:
| 	a) not running iauth
| or
| 	b) disabling the rfc931 module
| 
| A patch will be released early next week, to allow some time
| for admins to install the workaround described above.
| 
| Christophe

References:
- new vulnerability
  - From: Christophe Kalt

Prev by Date: Re: Temp patch for the nasty bug
Next by Date: Re: ircd2.10.2 and IPv6
Previous by thread: new vulnerability
Next by thread: Temp patch for the nasty bug
Index(es):
- Date
- Thread